Rule-based computer network security systems are well known in the art. Traditional rules specification practices are based upon the practice of using constructs based on expression evaluation, with both an implied and expressed order of operation, both within single statements and across multiple statements. While it is generally possible to describe network activity of interest with such systems, it quickly becomes cumbersome when trying to describe a rule set sufficient to detect computer network activity of interest, because such activity frequently involves multiple events that do not always occur in the same chronological order. Thus, rule systems in the prior art having implicit or explicit orders of operation require many permutations of a particular rule to cover variations in occurrence patterns, and such rule sets grow exponentially as the network traffic of interest grows in size. This makes it very difficult to build, troubleshoot, and maintain rule sets sufficiently broad to protect a computer system in a modern networking environment. What is needed is a system to both efficiently specify rules to describe complex network traffic patterns of interest, free of cumbersome order-of-operation restrictions, and to be able to efficiently and accurately match incoming network traffic against a concisely specified rule set, and thus be able to protect computer networks from attacks and to take appropriate protective actions as specified by the rules.